What | Removed | Added |
---|---|---|
CC | mrueckert@suse.com |
It looks like the 389-ds package is not yet prepared to handle the capability setting correctly. It also fails in the devel project for the same reason at the moment. There was no explicit request to backport this permission setting to SLE-15, but I synced the permissions package in SLE-15-SP1 with Factory to avoid a bunch of backports. Correctly using the CAP_NET_BIND_SERVICE capability would be an improvement for SLE-15-SP1, too. It shouldn't be too much effort to get it working. The capability bit for ns-slapd is set anyways even in SLE-15:GA already, even if it not actually used. >From the security perspective we've reviewed 389-ds version 1.4.0.18 in bug 1111564. In SLE-15-SP1 we have version 1.4.03. 1.4.0.18 contains only maintenance changes and it looks like no major changes in the area of the initialization code are existing. Therefore it should be safe to apply the capability bit there as well.